Data Protection Policy

Last updated: February 2026

HMS Education Ltd is committed to handling personal data responsibly, transparently and in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This Data Protection Policy sets out the principles, responsibilities and procedures that govern how we collect, use, store and protect personal data across our organisation.

1. Scope

This policy applies to all personal data processed by HMS Education Ltd, including data relating to students, enquirers, website visitors, employees, contractors and business contacts. It applies to all staff, consultants and any third parties who handle personal data on our behalf.

2. Data Protection Principles

We process personal data in accordance with the following principles as required by UK GDPR:

  • Lawfulness, fairness and transparency — data is processed on a lawful basis and in a transparent manner.
  • Purpose limitation — data is collected for specified, explicit and legitimate purposes and not processed in a manner incompatible with those purposes.
  • Data minimisation — only the data that is necessary for the stated purpose is collected.
  • Accuracy — data is kept accurate and up to date; inaccurate data is corrected or erased without delay.
  • Storage limitation — data is kept in a form that permits identification for no longer than necessary.
  • Integrity and confidentiality — data is processed with appropriate security to protect against unauthorised access, loss or destruction.
  • Accountability — HMS Education Ltd is responsible for and able to demonstrate compliance with all of the above principles.

3. Roles and Responsibilities

HMS Education Ltd is the Data Controller for all personal data we process. Our responsibilities include:

  • Ensuring all data processing activities have a documented lawful basis.
  • Maintaining records of processing activities (RoPA) as required by UK GDPR Article 30.
  • Ensuring staff who handle personal data receive appropriate training.
  • Reviewing and updating this policy and related procedures at least annually.
  • Appointing a responsible person to oversee data protection compliance and act as the first point of contact for data subject enquiries.

4. Lawful Bases for Processing

We rely on the following lawful bases under UK GDPR Article 6 for processing personal data:

  • Contract — processing necessary for the performance of a contract with the data subject.
  • Legal obligation — processing necessary to comply with a legal obligation.
  • Legitimate interests — processing necessary for our legitimate business interests, provided those interests are not overridden by the rights of the data subject.
  • Consent — where no other lawful basis applies, we obtain explicit consent before processing. Consent can be withdrawn at any time.

For special category data (e.g. health, disability, criminal records), we rely on UK GDPR Article 9 conditions, including explicit consent or processing necessary for legal claims.

5. Data Security

We implement appropriate technical and organisational security measures to protect personal data, including:

  • Encryption of personal data in transit and at rest where appropriate.
  • Access controls ensuring only authorised staff can access personal data.
  • Regular review of access rights, particularly when staff roles change or employment ends.
  • Secure disposal of personal data when no longer needed (deletion or physical destruction of records).
  • Up-to-date anti-malware protection and software security patching.
  • Regular backups to prevent data loss.

6. Data Retention

We retain personal data only as long as necessary for the purpose it was collected. Our general retention periods are:

  • Enquiry records (no service engaged) — 12 months.
  • Client and application records — 7 years from end of engagement.
  • Employee records — 7 years from termination of employment.
  • Financial records — 7 years (legal requirement).
  • Marketing consent records — until consent is withdrawn or 3 years of inactivity.

A full retention schedule is maintained internally. Data is securely deleted or anonymised once the retention period expires.

7. Third-Party Processors

Where we engage third-party service providers to process personal data on our behalf (e.g. IT systems, email platforms, CRM tools), we ensure:

  • A written Data Processing Agreement (DPA) is in place before any processing begins.
  • The processor provides sufficient guarantees of appropriate technical and organisational measures.
  • Processors are only permitted to process data on our documented instructions.
  • We carry out due diligence on processors before appointment and review them periodically.

8. International Transfers

Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place. These may include adequacy decisions recognised by the UK, standard contractual clauses (SCCs) approved by the ICO, or other transfer mechanisms permitted under UK GDPR. We document all international transfers and assess the risks involved.

9. Data Subject Rights

We respect and facilitate the rights of data subjects under UK GDPR. Upon receiving a valid request, we will respond within one calendar month. Requests are handled free of charge unless manifestly unfounded or excessive. Data subjects may exercise the following rights:

  • Right of access (Subject Access Request).
  • Right to rectification of inaccurate or incomplete data.
  • Right to erasure ('right to be forgotten').
  • Right to restriction of processing.
  • Right to data portability.
  • Right to object to processing.
  • Rights relating to automated decision-making and profiling (we do not carry out automated decision-making).

10. Data Breach Response

In the event of a personal data breach, we will:

  • Contain and assess the breach as quickly as possible.
  • Notify the ICO within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms.
  • Inform affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
  • Document all breaches, including those not reported to the ICO, in our internal breach register.

All staff must report any suspected or confirmed data breach to the responsible person immediately.

11. Privacy by Design

HMS Education Ltd embeds data protection into the design of our processes and systems. When introducing new services, tools or processing activities, we consider data protection requirements from the outset. Where a new processing activity is likely to result in a high risk to individuals, we will carry out a Data Protection Impact Assessment (DPIA) before proceeding.

12. Staff Training and Awareness

All staff who handle personal data receive data protection training upon joining and at regular intervals thereafter. Staff are expected to read and follow this policy and any related procedures. Any questions or concerns about data protection should be directed to the responsible person.

13. Policy Review

This Data Protection Policy is reviewed at least annually, or sooner if there are significant changes to our processing activities, applicable law or ICO guidance. The current version and date of last review are shown at the top of this page.

14. Contact and Complaints

For any questions about this policy or to exercise your data subject rights, please use our contact page. If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO).

Information Commissioner's Office (ICO)
Privacy PolicyTerms of Service